CWE-434: Unrestricted Upload of File with Dangerous Type
The incident_attachments.php script does not filter the attachment's extension properly. An attacker may upload any file to the web server and have it run with the privileges of the web service. This vulnerability could be used to upload a PHP shell which may be used as a backdoor. The upload file path is structured in the following way: /attachments-{hash}/{incident ID}/{file ID}-{file name}.{extension}. An attacker would need user access to the website, as well as, brute forcing the attachments folder path. An attacker has two options to retrieve the folder path. The attacker could brute force the default attachments folder name because of a weak generation algorithm or the attacker could use the move_uploaded_file.php script to generate an error message that will include the folder path.

The ftp_upload_file.php script is also vulnerable. An attacker may be able to upload any file to the web server and have it run with the privileges of the web service if they can guess the folder path.

The link_add.php script is vulnerable to XSS. An attacker may be able to inject arbitrary script into the link creation page.

The translate.php script is vulnerable to XSS. An attacker may inject arbitrary script into a saved translation web page which is then execute with the permissions of the web service.

CWE-352: Cross-Site Request Forgery (CSRF)
The reporter states that most of the SiT! scripts are vulnerable to CSRF attacks. For example, an attacker may be able to trick a logged in user to visit the following URL to delete a user account: /user_delete.php?userid=6. It has been reported that all web pages except config.php, edit_user_permissions.php, forgotpwd.php, user_add.php and user_profile_edit.php are vulnerable.

Impact

An attacker may be able to inject arbitrary script, execute commands as a logged in user, or upload malicious files to the web server.